Help needed for configuring firewall with YAST
Hello all, Since i while i've remarked the following lines in my firewall-log : Jul 18 21:40:11 penguin dhcpcd[109]: sending DHCP_REQUEST for 213.224.69.28 to 195.130.132.18 Jul 18 21:40:11 penguin kernel: Packet log: input DENY eth0 PROTO=17 195.130.132.18:67 213.224.69.28:68 L=330 S=0x00 I=60193 F=0x4000 T=252 (#127) Jul 18 21:40:11 penguin dhcpcd[109]: DHCP_ACK received from (195.130.132.18) Does anyone can help me ? I appears to be in the 'critical' messages for the firewall. I would like to allow these requests through my firewall, but i didn't succeed. I'm trying to configure it with YAST & FW_- variables in the configuration-file. Thanks in advance, Franky. -- =================================== GOETHALS Franky Driegaaienstraat 104 B-9100 SINT-NIKLAAS B E L G I E Systeemingenieur Mainframe Tel./Fax : 32 - (0)3 / 776.10.09 GSM : 32 - (0)478 / 21.40.94 franky.goethals@pandora.be ===================================
On Sat, 5 Aug 2000, Franky GOETHALS wrote:
Hello all,
Since i while i've remarked the following lines in my firewall-log :
Jul 18 21:40:11 penguin dhcpcd[109]: sending DHCP_REQUEST for 213.224.69.28 to 195.130.132.18 Jul 18 21:40:11 penguin kernel: Packet log: input DENY eth0 PROTO=17 195.130.132.18:67 213.224.69.28:68 L=330 S=0x00 I=60193 F=0x4000 T=252 (#127) Jul 18 21:40:11 penguin dhcpcd[109]: DHCP_ACK received from (195.130.132.18)
Does anyone can help me ? I appears to be in the 'critical' messages for the firewall.
What it's telling you is that host 195.130.132.18 is sending an udp (PROTO=17) package to host 213.224.69.28 with bootp information (port 67 & 68) and that package is being denied. If you use the standard Suse firewall configuration script (/etc/rc.config.d/firewall.rc.config) you should have: FW_SERVICE_DHCLIENT="no" # if you use dhclient to get an ip address # you have to set this to "yes" ! set to yes, or manually add a rule for accepting bootp packages
I would like to allow these requests through my firewall, but i didn't succeed. I'm trying to configure it with YAST & FW_- variables in the configuration-file.
Thanks in advance,
Franky.
good luck Stefan ========================================== Stefan Suurmeijer Network Specialist University of Groningen tel: (+31) 50 363 3423 fax: (+31) 50 363 7272 E-mail (business): s.m.suurmeijer@let.rug.nl E-mail (private): stefan@symbolica.nl ========================================== Quis custodiet ipsos custodes? (Who'll watch the watchmen?) - Unknown
Stefan Suurmeijer wrote:
On Sat, 5 Aug 2000, Franky GOETHALS wrote:
Hello all,
Since i while i've remarked the following lines in my firewall-log :
Jul 18 21:40:11 penguin dhcpcd[109]: sending DHCP_REQUEST for 213.224.69.28 to 195.130.132.18 Jul 18 21:40:11 penguin kernel: Packet log: input DENY eth0 PROTO=17 195.130.132.18:67 213.224.69.28:68 L=330 S=0x00 I=60193 F=0x4000 T=252 (#127) Jul 18 21:40:11 penguin dhcpcd[109]: DHCP_ACK received from (195.130.132.18)
Does anyone can help me ? I appears to be in the
Stefan, The value of this variable is allready 'yes'. Any other ideas ? Tnx allready, Franky.
'critical' messages for the firewall.
What it's telling you is that host 195.130.132.18 is sending an udp (PROTO=17) package to host 213.224.69.28 with bootp information (port 67 & 68) and that package is being denied. If you use the standard Suse firewall configuration script (/etc/rc.config.d/firewall.rc.config) you should have:
FW_SERVICE_DHCLIENT="no" # if you use dhclient to get an ip address # you have to set this to "yes" !
set to yes, or manually add a rule for accepting bootp packages
I would like to allow these requests through my firewall, but i didn't succeed. I'm trying to configure it with YAST & FW_- variables in the configuration-file.
Thanks in advance,
Franky.
good luck
Stefan
========================================== Stefan Suurmeijer Network Specialist University of Groningen tel: (+31) 50 363 3423 fax: (+31) 50 363 7272 E-mail (business): s.m.suurmeijer@let.rug.nl E-mail (private): stefan@symbolica.nl ==========================================
Quis custodiet ipsos custodes? (Who'll watch the watchmen?) - Unknown
--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
-- =================================== GOETHALS Franky Driegaaienstraat 104 B-9100 SINT-NIKLAAS B E L G I E Systeemingenieur Mainframe Tel./Fax : 32 - (0)3 / 776.10.09 GSM : 32 - (0)478 / 21.40.94 franky.goethals@pandora.be ===================================
On Sun, 6 Aug 2000, Franky GOETHALS wrote:
Stefan Suurmeijer wrote:
On Sat, 5 Aug 2000, Franky GOETHALS wrote:
Hello all,
Since i while i've remarked the following lines in my firewall-log :
Jul 18 21:40:11 penguin dhcpcd[109]: sending DHCP_REQUEST for 213.224.69.28 to 195.130.132.18 Jul 18 21:40:11 penguin kernel: Packet log: input DENY eth0 PROTO=17 195.130.132.18:67 213.224.69.28:68 L=330 S=0x00 I=60193 F=0x4000 T=252 (#127) Jul 18 21:40:11 penguin dhcpcd[109]: DHCP_ACK received from (195.130.132.18)
Does anyone can help me ? I appears to be in the
Stefan,
The value of this variable is allready 'yes'.
Any other ideas ?
Tnx allready,
Franky.
Well, if that value is set to yes, theoretically all traffic coming from system x port 67 to your port 68 should be allowed (see /sbin/SuSEfirewall). If it isn't, you probably defined another rule somewhere specifically denying these connections from this system. To say anything meaningfull, I'd have to take a look at either your firewall.rc.config or your ipchains -L output. What you could do is take a look at your ipchains -L|grep DENY output and see if there's a rule blocking udp connections from the dhcp server. If you really want control over the rules generated, you should use a custom made script instead of SuSEfirewall, adding only those rules you need.
'critical' messages for the firewall.
What it's telling you is that host 195.130.132.18 is sending an udp (PROTO=17) package to host 213.224.69.28 with bootp information (port 67 & 68) and that package is being denied. If you use the standard Suse firewall configuration script (/etc/rc.config.d/firewall.rc.config) you should have:
FW_SERVICE_DHCLIENT="no" # if you use dhclient to get an ip address # you have to set this to "yes" !
set to yes, or manually add a rule for accepting bootp packages
I would like to allow these requests through my firewall, but i didn't succeed. I'm trying to configure it with YAST & FW_- variables in the configuration-file.
Stefan ========================================== Stefan Suurmeijer Network Specialist University of Groningen tel: (+31) 50 363 3423 fax: (+31) 50 363 7272 E-mail (business): s.m.suurmeijer@let.rug.nl E-mail (private): stefan@symbolica.nl ========================================== Quis custodiet ipsos custodes? (Who'll watch the watchmen?) - Unknown
Stefan Suurmeijer wrote:
On Sun, 6 Aug 2000, Franky GOETHALS wrote:
Stefan Suurmeijer wrote:
On Sat, 5 Aug 2000, Franky GOETHALS wrote:
Hello all,
Since i while i've remarked the following lines in my firewall-log :
Jul 18 21:40:11 penguin dhcpcd[109]: sending DHCP_REQUEST for 213.224.69.28 to 195.130.132.18 Jul 18 21:40:11 penguin kernel: Packet log: input DENY eth0 PROTO=17 195.130.132.18:67 213.224.69.28:68 L=330 S=0x00 I=60193 F=0x4000 T=252 (#127) Jul 18 21:40:11 penguin dhcpcd[109]: DHCP_ACK received from (195.130.132.18)
Does anyone can help me ? I appears to be in the
Stefan,
The value of this variable is allready 'yes'.
Any other ideas ?
Tnx allready,
Franky.
Well, if that value is set to yes, theoretically all traffic coming from system x port 67 to your port 68 should be allowed (see /sbin/SuSEfirewall). If it isn't, you probably defined another rule somewhere specifically denying these connections from this system. To say anything meaningfull, I'd have to take a look at either your firewall.rc.config or your ipchains -L output. What you could do is take a look at your ipchains -L|grep DENY output and see if there's a rule blocking udp connections from the dhcp server. If you really want control over the rules generated, you should use a custom made script instead of SuSEfirewall, adding only those rules you need.
'critical' messages for the firewall.
What it's telling you is that host 195.130.132.18 is sending an udp (PROTO=17) package to host 213.224.69.28 with bootp information (port 67 & 68) and that package is being denied. If you use the standard Suse firewall configuration script (/etc/rc.config.d/firewall.rc.config) you should have:
FW_SERVICE_DHCLIENT="no" # if you use dhclient to get an ip address # you have to set this to "yes" !
set to yes, or manually add a rule for accepting bootp packages
I would like to allow these requests through my firewall, but i didn't succeed. I'm trying to configure it with YAST & FW_- variables in the configuration-file.
Stefan
========================================== Stefan Suurmeijer Network Specialist University of Groningen tel: (+31) 50 363 3423 fax: (+31) 50 363 7272 E-mail (business): s.m.suurmeijer@let.rug.nl E-mail (private): stefan@symbolica.nl ==========================================
Quis custodiet ipsos custodes? (Who'll watch the watchmen?) - Unknown
Stefan,
In attach my /etc/rc.config.d/firewall.rc.config,
and hereunder some other output :
root@penguin:/etc > ifconfig
eth0 Link encap:Ethernet HWaddr 00:50:04:40:83:11
inet addr:213.224.20.136 Bcast:213.224.21.255 Mask:255.255.254.0
UP BROADCAST NOTRAILERS RUNNING PROMISC MTU:1500 Metric:1
RX packets:155572 errors:0 dropped:0 overruns:0 frame:0
TX packets:119434 errors:0 dropped:0 overruns:0 carrier:1
collisions:0 txqueuelen:100
Interrupt:9 Base address:0x1400
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:3924 Metric:1
RX packets:403 errors:0 dropped:0 overruns:0 frame:0
TX packets:403 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
vmnet1 Link encap:Ethernet HWaddr 00:50:56:01:00:00
inet addr:192.168.164.1 Bcast:192.168.164.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:41310 errors:0 dropped:0 overruns:0 frame:0
TX packets:53743 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
root@penguin:/etc > ipchains -L|grep DENY
Chain input (policy DENY):
DENY all ----l- 213.224.20.0/23 anywhere n/a
DENY all ----l- 192.168.164.0/24 anywhere n/a
DENY all ----l- 192.168.164.0/24 anywhere n/a
DENY all ----l- 213.168.164.0/24 anywhere n/a
DENY all ----l- 213.224.0.0/24 anywhere n/a
DENY all ----l- linux anywhere n/a
DENY all ----l- dhcp-213-224-20-136.kabel.pandora.be
anywhere n/a
DENY all ----l- loopback/8 anywhere n/a
DENY all ----l- anywhere loopback/8 n/a
DENY all ----l- 192.168.164.0/24 linux n/a
DENY all ----l- 192.168.164.0/24
dhcp-213-224-20-136.kabel.pandora.be n/a
DENY all ----l- 213.168.164.0/24 linux n/a
DENY all ----l- 213.168.164.0/24
dhcp-213-224-20-136.kabel.pandora.be n/a
DENY all ----l- 213.224.0.0/24 linux n/a
DENY all ----l- 213.224.0.0/24
dhcp-213-224-20-136.kabel.pandora.be n/a
DENY all ----l- anywhere 192.168.164.0/24 n/a
DENY all ----l- anywhere 192.168.164.0/24 n/a
DENY all ----l- anywhere 213.168.164.0/24 n/a
DENY all ----l- anywhere 213.224.0.0/24 n/a
DENY all ----l- anywhere anywhere n/a
Chain forward (policy DENY):
DENY all ----l- anywhere anywhere n/a
I don't get from where he gets all those denies....
Can you please help ?
Tnx,
Franky.
--
===================================
GOETHALS Franky
Driegaaienstraat 104
B-9100 SINT-NIKLAAS
B E L G I E
Systeemingenieur Mainframe
Tel./Fax : 32 - (0)3 / 776.10.09
GSM : 32 - (0)478 / 21.40.94
franky.goethals@pandora.be
===================================
# Copyright (c) 1999,2000 SuSE GmbH Nuernberg, Germany. All rights reserved.
#
# Author: Marc Heuse
participants (2)
-
Franky GOETHALS
-
Stefan Suurmeijer